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DETAILED ACTION 
Response to Amendment 

Claims 1 and 3-20 are pending. Applicant's arguments/amendments with respect to 
previously presented claims 1 & 3-20 filed 9/8/2006 have been fully considered but are not 
persuasive. The Examiner would like to point out that this action is made Final (See MPEP 
706.07(a)). 

Response to Arguments 

Applicants contend that the combination of "Burn and Carlsson fail to teach or suggest 
reviewing, by a Tokenizing Officer, credentials of the user and forwarding the user ID number 
and token ID number to a CMS system along with an electronic form request and a signature of 
the Tokenizing Officer, wherein the Tokenizing Officer comprises a person." Examiner 
respectfully disagrees. Carlsson et al. disclose a CA administrator who reviews the user's 
credentials and fills out a request on behalf of the user, and transmits the user ID number and a 
token ID number to a CA Centre after signing the form (col. 8, lines 12-37). Applicants added 
emphasis on the term "token ID number" and contend that this particular element is not 
forwarded. Examiner would like to point out that a sequence number of the certificate request is 
included and forwarded (col. 8, lines 34-37), i.e. forwarding the token ID number. Furthermore, 
Carlsson et al. suggest that one would modify the method as disclosed in Burn in order to add a 
Tokenizing Officer who is a person in order to add the advantage of physically checking the 
users' credentials in order to ensure that the users are who they claim to be (col. 8, lines 20-27). 
Thus, the Carlsson et al. in combination with Burn teach/suggest "reviewing, by a Tokenizing 
Officer, credentials of the user and forwarding the user ID number and token ED number to a 
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CMS system along with an electronic form request and a signature of the Tokenizing Officer, 
wherein the Tokenizing Officer comprises a person" as recited in the claims. 

Applicants further contend, "nothing in Carlsson et al. teaches or suggests limiting the 
number of personalized cards that any one user can possess." Examiner would like to point out 
that this limitation is not present in the claim (no use of the term "card" only "token"). So, with 
respect to redundant tokens, which may be a certificate in one form, Carlsson et al. teach that 
when the user role changes, in order to ensure that there are no redundancies, the particular 
certificate is revoked so that the user does not have multiple certificates for various roles that 
they have performed in the past (col 9, lines 14-17). Thus, when a user is obtaining a certificate, 
the certificate is unique for that user for their specific role (where a role is equivalent to the 
department/occupation that the user has and is bound to a unique public key of a public-private 
key pair to ensure that the user is uniquely identified) (col. 9, line 29 - col. 10, line 3 1). 
Furthermore, in another aspect of Carlsson et al, a feature for protection against playback must 
be implemented by a distributed CA, which also ensures no duplicates (col. 1 1, lines 25-33). 

Due to the reasons stated above, the Examiner maintains rejections with respect to 
previously presented claims 1 and 3-20. Burn substantially teaches the limitations that the 
Applicant suggests distinguish from the prior art. Furthermore, Carlsson in combination with 
Burn teach the limitations not explicitly disclosed by Burn. Therefore, it is the Examiner's 
conclusion that the claims are not patentably distinct or non-obvious over the prior art of record 
as presented. 
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Claim Rejections - 35 USC §103 

I. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

II. Claims 1 and 3-20 are rejected under 35 U.S.C. 103(a) as being unpatentable over Burn, 
United States Pub. No. 2003/0005291 and further in view of Carlsson et al, US Patent No. 
6,490,367. 

As per claim 1 : 

Burn substantially teaches a token issuance and binding process comprising: providing a 
plurality of tokens, each token having a unique ID number stored therein (par. 6, lines 1-7 and 
par. 37, lines 1-3); generating a unique public/private key pair for each token (par. 36, lines 8- 
15); storing each token ID number and corresponding public key in a directory/database (par. 36, 
lines 16-19); storing each private key in its respective token (par. 36-37 and table 1, field name 
"User Certificate"); and binding a unique ED number of a user to a corresponding one of the 
plurality of tokens by storing said correspondence there between in the directory/database (par. 
36-37 and fig. 5, element 140). 

Not explicitly disclosed is reviewing, by a Tokenizing Officer, credentials of the user and 
forwarding the user ID number and the token ID number to a CMS (Certificate Management 
System) along with an E-form (electronic form) request and signature of the Tokenizing Officer, 
wherein the Tokenizing Officer comprises a person. However, Carlsson et al. teach reviewing, 
by a Tokenizing Officer, credentials of the user and forwarding the user ID number and the token 
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ID number to a CMS (Certificate Management System) along with an E-form (electronic form) 
request and signature of the Tokenizing Officer, wherein the Tokenizing Officer comprises a 
person (col. 8, lines 12-51). Therefore, it would have been obvious to a person in the art at the 
time the invention was made to modify the method disclosed in Burn to add a Tokenizing 
Officer, who is a person, to review credentials of a user and to forward the user information to a 
CMS along with an electronic request form and Tokenizing Officer's signature. This 
modification would have been obvious because a person having ordinary skill in the art, at the 
time the invention was made, would have been motivated to do so since Carlsson et al. suggest 
that having a person as the Tokenizing Officer is easy to administer and adds to security because 
the credentials are checked by someone who is acquainted with the users so it is harder to forge 
an identity in the binding process in col. 8, lines 20-27. 
As per claim 3 : 

Burn and Carlsson et al. substantially teach the process as applied to claim 1 above. Not 
explicitly disclosed is the binding further comprising the CMS checking for redundant user 
tokens and revoking any such user tokens. However, Carlsson et al. teach revoking tokens of 
individuals when their role has changed in order to do away with redundant certificates, i.e. so 
that one user does not have two valid certificates with different roles especially when one of the 
roles has been revoked. Therefore, it would have been obvious to a person in the art at the time 
the invention was made to modify the method disclosed in Burn to incorporate the ability to 
check and revoke any such tokens that are not distinct. This modification would have been 
obvious because a person having ordinary skill in the art, at the time the invention was made, 
would have been motivated to do so since Carlsson et al. teach that it is important that 
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certificates that are invalid are revoked in order to prevent from users gaining access to various 
objects that they are no longer authorized for in col. 9, lines 14-20. 
As per claim 4: 

Burn and Carlsson et al. substantially teaches the process as applied to claim 3 above. 
Furthermore, Carlsson et al. teach the binding further comprising the CMS filling in the E-form 
from its directory/database and forwarding the filled in E-form to the Tokenizing Officer (col. 8, 
lines 28-37). 
As per claim 5: 

Burn and Carlsson et al. substantially teaches the process as applied to claim 4 above. - 
Furthermore, Carlsson et al teach the binding further comprising the Tokenizing Officer 
reviewing data in filled in E-form and comparing against user credentials and returning same to 
CMS after signing (col. 8, lines 12-27). 
As per claim 6: 

Burn and Carlsson et al. substantially teach the process as applied to claim 5 above. 
Furthermore, Burn teaches generating and wrapping at least a signature certificate/private and 
associated private key for the user in the unique public key of the token and returning same to the 
Tokenizing Officer (par. 44, lines 1-13). Not explicitly disclosed is the binding further 
comprising the CMS validating the Tokenizing Officer's signature. However, Burn teaches that 
when the CA receives a message from the HTP it must be decrypted, hence verified. Therefore, 
it would have been obvious to a person in the art at the time the invention was made to modify 
the method disclosed in Burn to incorporate the ability to validate the HTP's signature. This 
modification would have been obvious because a person having ordinary skill in the art, at the 
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time the invention was made, would have been motivated to do so since Burn suggests that 
validating the Tokenizing Officer's signature is important to ensure that a valid Tokenizing 
Officer is supplying the user information in par. 44, lines 1-5. 
As per claim 7: 

Burn and Carlsson et al. substantially teach the process as applied to claim 6 above. 
Furthermore, Burn teaches the binding further comprising the Tokenizing Officer storing the 
signature certificate/private key for the user in the token (par. 44, lines 14-21). 
As per claim 8: 

Burn and Carlsson et al. substantially teach the process as applied to claim 7 above. Not 
explicitly disclosed is the binding further comprising the user unwrapping the signature 
certificate/private key using the token private key stored in the token. However, Burn teaches 
the HTP unwrapping the signature certificate/private key stored in the token. Therefore, it would 
have been obvious to a person in the art at the time the invention was made to modify the method 
disclosed in Burn to instead have the user unwrap the information in the token. This 
modification would have been obvious because a person having ordinary skill in the art, at the 
time the invention was made, would have been motivated to do so since Burn suggests that in 
order to use the certificate it must be able to be decrypted by the private key stored in the token, 
which is stored therein to ensure that the private key is kept confidential and will not be . 
compromised in par. 44, lines 14-21. 
As per claim 9: 

Burn and Carlsson et al. substantially teach the process as applied to claim 1 above. Not 
explicitly disclosed by Burn is the process wherein providing a plurality of tokens comprises 
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providing a plurality of USB (Universal Serial Bus) tokens. However, Burn teaches the use of a 
hardware token that could be implemented in various ways. Therefore, it would have been 
obvious to a person in the art at the time the invention was made to modify the method disclosed 
in Burn to have the hardware tokens comprise of USB tokens. This modification would have 
been obvious because a person having ordinary skill in the art, at the time the invention was 
made, would have been motivated to do so since Burn suggest that any type of hardware token 
can be used in par. 46. 
As per claim 10: 

Burn teaches the process as applied to claim 1 above. Not explicitly disclosed by Burn is 
the process wherein providing a plurality of tokens comprises providing a plurality of smart 
cards. However, Burn teaches that a smartcard could be used in an alternate embodiment. 
Therefore, it would have been obvious to a person in the art at the time the invention was made 
to modify the method disclosed in Burn to have the hardware tokens comprise of smartcards. 
This modification would have been obvious because a person having ordinary skill in the art, at 
the time the invention was made, would have been motivated to do so since Burn suggests that 
any type of hardware token can be used, for example a smart card, in par. 3 1 . 
As per claim 1 1 : 

The limitations in claim 1 1 are similar in scope to the limitations disclosed in claim 1, 
thus it is rejected for the same reasons since it is merely the system that implements the rejected 
method claim. 
As per claims 12-20: 

The limitations in claims 12-20 are similar in scope to the limitations disclosed in claims 



Application/Control Number: 10/027,607 Page 9 

Art Unit: 2137 

3-10, thus it are rejected for the same reasons since they are merely components of the system 
that implement the rejected method claims. 

^References Cited, Not Used 

The prior art made of record and not relied upon is considered pertinent to applicant's 
disclosure. 

1. U.S. Patent No. 5,943,423 

2. U.S. Patent No. 6,438,550 

The above references have been cited because they are relevant due to the manner in which the 
invention has been claimed. 



Conclusion 

Applicant's amendment necessitated the new ground(s) of rejection presented in this 
Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). 
Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1 .136(a) will be calculated from the mailing date of the advisory action. In no event, 
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however, will the statutory period for reply expire later than SIX MONTHS from the date of this 
final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Nadia Khoshnoodi whose telephone number is (571) 272-3825. 
The examiner can normally be reached on M-F: 8:00-4:30. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Emmanuel Moise can be reached on (571) 272-3865. The fax phone number for the 
organization where this application or proceeding is assigned is 703-872-9306. 




Nadia Khoshnoodi 
Examiner 
Art Unit 2137 
10/2/2006 
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